From patchwork Fri Jul  1 08:36:37 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
X-Patchwork-Id: 642872
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2001:1868:205::9])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3rgqY61pFkz9s9G
	for <incoming@patchwork.ozlabs.org>;
	Fri,  1 Jul 2016 18:37:46 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.85_2 #1 (Red Hat Linux))
	id 1bItwh-0004Dy-0M; Fri, 01 Jul 2016 08:37:07 +0000
Received: from seldsegrel01.sonyericsson.com ([37.139.156.29])
	by bombadil.infradead.org with esmtps (Exim 4.85_2 #1 (Red Hat
	Linux)) id 1bItwd-00049T-04
	for hostap@lists.infradead.org; Fri, 01 Jul 2016 08:37:05 +0000
From: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
Subject: Roaming on android blacklists incorrect bss
To: <hostap@lists.infradead.org>
Message-ID: <57762B95.2090309@sonymobile.com>
Date: Fri, 1 Jul 2016 10:36:37 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
	Thunderbird/38.8.0
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20160701_013703_548801_B50D4747 
X-CRM114-Status: GOOD (  26.02  )
X-Spam-Score: -1.9 (-)
X-Spam-Report: SpamAssassin version 3.4.0 on bombadil.infradead.org summary:
	Content analysis details:   (-1.9 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/,
	no trust [37.139.156.29 listed in list.dnswl.org]
	-0.0 RCVD_IN_MSPIKE_H4      RBL: Very Good reputation (+4)
	[37.139.156.29 listed in wl.mailspike.net]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
	[score: 0.0000]
	-0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Hi Jouni and all,

On Android M we've seen cases where Android's way of roaming sometimes 
end up blacklisting incorrect bss.

Connected to BSSID1 to roam to another AP the following sequence of 
commands are used:
SET_NETWORK 0 bssid <BSSID2>
ENABLE_NETWORK 0
REASSOCIATE

Most of the time this works just fine, though if authentication timer 
times out (probably due to auth/assoc/eapol packet loss) the BSSID 
roamed away from gets blacklisted (BSSID1), not the one failing to 
reassociate with (BSSID2).

Interesting lines from the log look like this:

wlan0: Considering connect request: reassociate: 1  selected: <BSSID2>  
bssid: <BBSID1>  pending: 00:00:00:00:00:00 wpa_state: COMPLETED  
ssid=<SSID>  current_ssid=<SSID>
wlan0: Request association with <BSSID2>
wlan0: Re-association to the same ESS
...
wlan0: Add radio work 'connect'@0x7f9769c230
wlan0: First radio work item in the queue - schedule start immediately
wlan0: Starting radio work 'connect'@0x7f9769c230 after 0.000144 second 
wait
wlan0: Trying to associate with SSID <SSID>
...
wlan0: State: COMPLETED -> ASSOCIATING
...
Limit connection to BSSID <BBSID2> freq=5180 MHz based on scan results 
(bssid_set=1)
...
nl80211: Connect (ifindex=6)
   * bssid=<BSSID2>
   * bssid_hint=<BSSID2>
...
nl80211: Connect request send successfully
wlan0: Setting authentication timeout: 10 sec 0 usec
...
wlan0: Authentication with <BSSID1> timed out.
Added BSSID <BSSID1> into blacklist
TDLS: Remove peers on disassociation
wlan0: WPA: Clear old PMK and PTK
wlan0: Request to deauthenticate - bssid=<BSSID1> 
pending_bssid=00:00:00:00:00:00 reason=3 state=ASSOCIATING

Question is, is this way of using the REASSOCIATE command to perform 
roam operation valid?
I worked on a patch that solved this specific case but had to apply some 
hacks to reproduce it with hwsim tests. It would be great with some 
feedback on the scenario and attached patches. I think not all of them 
should really be applied but should help discussing the problem seen.

Thanks
Mikael Kanstrup

From bef2433754014e13143f10ed2a778c8bbba0a518 Mon Sep 17 00:00:00 2001
From: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
Date: Wed, 29 Jun 2016 15:44:19 +0200
Subject: [PATCH 5/5] Blacklist correct bssid on auth timeout if bssid_set

If authentication times out while performing reassociate with
bssid_set=1 incorrect bssid end up being blacklisted. Use pending_bss
field on auth timeout and deauth to ensure correct AP get blacklisted.

Change-Id: I11eec4f5bf05c6512486307c5afae969cdde4e02
---
 wpa_supplicant/wpa_supplicant.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 57881e8..73316db 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -192,7 +192,7 @@ static void wpa_supplicant_timeout(void *eloop_ctx, void *timeout_ctx)
 {
 	struct wpa_supplicant *wpa_s = eloop_ctx;
 	const u8 *bssid = wpa_s->bssid;
-	if (is_zero_ether_addr(bssid))
+	if (!is_zero_ether_addr(wpa_s->pending_bssid))
 		bssid = wpa_s->pending_bssid;
 	wpa_msg(wpa_s, MSG_INFO, "Authentication with " MACSTR " timed out.",
 		MAC2STR(bssid));
@@ -2156,7 +2156,10 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit)
 	} else {
 		wpa_msg(wpa_s, MSG_INFO, "Trying to associate with SSID '%s'",
 			wpa_ssid_txt(ssid->ssid, ssid->ssid_len));
-		os_memset(wpa_s->pending_bssid, 0, ETH_ALEN);
+		if (bss && ssid->bssid_set)
+			os_memcpy(wpa_s->pending_bssid, bss->bssid, ETH_ALEN);
+		else
+			os_memset(wpa_s->pending_bssid, 0, ETH_ALEN);
 	}
 	if (!wpa_s->pno)
 		wpa_supplicant_cancel_sched_scan(wpa_s);
@@ -2685,12 +2688,12 @@ void wpa_supplicant_deauthenticate(struct wpa_supplicant *wpa_s,
 		MAC2STR(wpa_s->bssid), MAC2STR(wpa_s->pending_bssid),
 		reason_code, wpa_supplicant_state_txt(wpa_s->wpa_state));
 
-	if (!is_zero_ether_addr(wpa_s->bssid))
-		addr = wpa_s->bssid;
-	else if (!is_zero_ether_addr(wpa_s->pending_bssid) &&
+	if (!is_zero_ether_addr(wpa_s->pending_bssid) &&
 		 (wpa_s->wpa_state == WPA_AUTHENTICATING ||
 		  wpa_s->wpa_state == WPA_ASSOCIATING))
 		addr = wpa_s->pending_bssid;
+	else if (!is_zero_ether_addr(wpa_s->bssid))
+		addr = wpa_s->bssid;
 	else if (wpa_s->wpa_state == WPA_ASSOCIATING) {
 		/*
 		 * When using driver-based BSS selection, we may not know the
-- 
2.4.2